Feeds

Will bloggers get the blame for DoH mess?

Criminal charges for who?

The essential guide to IT transformation

Opinion Health Secretary Patricia Hewitt said the mess made of online applications for doctors could lead to criminal charges. But did she mean the people responsible for such a shoddy system or did she mean the bloggers who brought the problems to light are likely to be charged?

A touch surprising to find the Secretary of State for Health, Patricia Hewitt, stating the truth in a written ministerial statement to the Commons on Tuesday:

"Because the investigation has made it clear that criminal offences may have been committed, the MWR analysis and report have been given to the police."

That "may" is a little mild, as it is quite clear that criminal offences have been committed during the wonderful little saga of the medical training application service (MTAS) and its computer system. Over and above the usual political porkies that is, such as this line from the statement:

"There had been two security breaches of the medical training application service (MTAS) that arose on 25 and 26 April."

There was no security breach that arose on 26 April. There was one that was revealed on that date, yes, but the breach went back to the beginnings of the system and was inherent in the design.

The breach itself was one that would ashame the most neophyte of script kiddies. There was no attempt to create a login session when someone entered the system, nor was there any checking of the IP of the machine being used to prevent session hijacking.

As David Gillies has pointed out: "There is NO WAY that this was anything other than gross incompetence. It is inconceivable that MTAS had a working login session mechanism that was then replaced by the brain-dead version it had when the security breaches came to light."

He then goes on to say that this is a level of stupidity likely actionable under the Data Protection Act. "Implementers of systems containing personal information have a statutory duty, I believe, to ensure only authorised persons have access to that data."

So there's our first criminal offence, among those who planned, built, and implemented this system.

Then there are those who brought the problem to light, such as the NHSBlogDoctor. Distressed at being informed of such a gaping loophole in the system he went to have a look for himself. This is a criminal offence - hacking a computer system. Unable to believe what he saw, he asked a few trusties to have a look themselves - another offence, incitement to hack a computer system.

Having committed these offences, what did the Good Doctor do then? He informed the Department of Health and the system was taken down within a few minutes, thus preventing said department from continuing in their own breach of the law.

Only the excessively cynical would believe that Ms Hewitt was referring only to the second set of breaches, rather than the first, or that the police will concentrate on the whistleblower(s) rather than the original problem.

The realists among us though, will note that there is still something of a problem. When alerted to a possible breach of the law by the authorities, it would seem that investigating such breach is in itself a criminal offence. That's certainly the way to bring about some accountability to the system don't you think? A way of preventing the more obvious lunacies, of improving the system?

But, of course, this is paranoia. No one is going to interpret the law that way, are they? In a world where adding ../../../ to a URL is worth £400 plus costs and the loss of your job and career. No, of course not, it's just paranoia. ®

Tim Worstall is a freelance and blogs at www.timworstall.com.

5 things you didn’t know about cloud backup

More from The Register

next story
Hello, police, El Reg here. Are we a bunch of terrorists now?
Do Brits risk arrest for watching beheading video nasty? We asked the fuzz
UK fuzz want PINCODES on ALL mobile phones
Met Police calls for mandatory passwords on all new mobes
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
EU justice chief blasts Google on 'right to be forgotten'
Don't pretend it's a freedom of speech issue – interim commish
Detroit losing MILLIONS because it buys CHEAP BATTERIES – report
Man at hardware store was right: name brands DO last longer
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
UK government accused of hiding TRUTH about Universal Credit fiasco
'Reset rating keeps secrets on one-dole-to-rule-them-all plan', say MPs
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Yes, but what are your plans if a DRAGON attacks?
Local UK gov outs most ridiculous FoI requests...
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.